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Pipelined Deciphering Round Keys Generation 

BACKGROUND OF THE INVENTION 

5 

1. Field of the Invention 

The present invention relates to the field of ciphering and deciphering. More 
specifically, the present invention relates to line rate deciphering having special 
application in network traffic routing. 

10 

2. Background Information 

With advances in integrated circuit, microprocessor, networking and 
communication technologies, increasing number of devices, in particular, digital 
computing devices, are being networked together. Devices are often first coupled to 

15 a local area network, such as an Ethernet based office/home network. In turn, the 
local area networks are interconnected together through wide area networks, such 
as ATM networks, Frame Relays, and the like. Of particular notoriety is the TCP/IP 
based global inter-networks, Internet. 

As a result of this trend of increased connectivity, increasing number of 

20 applications that are network dependent are being deployed. Examples of these 
network dependent applications include but are not limited to, email, net based 
telephony, world wide web and various types of e-commerce. Successes of many 
of these content/service providers as well as commerce sites depend on high speed 
delivery of a large volume of data. 

25 At the same time, with increased concern over privacy and security, 

increasing amount of data are being transferred in a ciphered basis. As a result, 
successes of the content/service providers as well as commerce sites are also 
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dependent on the routing devices, as well as the servers and client devices being 
able to cipher and decipher data at a very high rate. 

The fundamentals of ciphering and deciphering are well known in the art. 
Typically, a plain text is ciphered using a ciphering "master" key. The ciphering is 
5 effectuated incrementally over a number of iterations, employing a number of 

corresponding ciphering round keys. The ciphering round keys are generated from 
the ciphering "master" key using a round function, with the first ciphering round key 
generated directly from the ciphering "master" key and thereafter, each subsequent 
ciphering round key, from the immediately preceding ciphering round key, the 
10 original "master" key plus one or more pseudo random factors or other algorithmic 
approaches. The ciphered text is deciphered by applying the ciphering round keys 
backward. In other words, the first deciphering round key is the last ciphering round 
key. 

The emphasis under the prior art to-date typically has been on the robustness 
15 of ciphering, that is, ensuring it is difficult for any attacker to uncover the deciphering 
round keys. Generally, the "undetectability" of the ciphering/deciphering round keys 
are enhanced by increasing the pseudo randomness injected between successive 
rounds of ciphering. As a result, if a deciphering unit, or a unit responsible for 
providing the deciphering unit with the deciphering round keys, is required to 
20 generate the deciphering round keys (e.g. in symmetric ciphering/deciphering), the 
deciphering round keys are fully generated (by re-generating the ciphering round 
keys in the conventional forward manner), before deciphering can take place 
(applying the re-generated ciphering round keys in reverse order as deciphering 
round keys). 

25 The prior art approach of having the deciphering round keys fully generated is 

inefficient. In addition to having to wait for the generation of the last ciphering round 
key before deciphering can take place, the amount of storage elements required to 
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generate and hold all the deciphering round keys could be significant, especially for 
deciphering/deciphering processes that employ long ciphering/deciphering round 
keys and/or great numbers of rounds. The delay in the start of deciphering and the 
large amount of storage required are especially problematic for high speed 
5 applications that require high line rate deciphering for multiple data streams at the 
same time, such as high speed optical networking, where multiple network traffic 
flows often have to be deciphered substantially at the same time. The reason being, 
the desired high line rate deciphering typically means that all the deciphering has to 
be performed on-chip in parallel. However, the large memory requirement, and the 
10 resulting substantial IC real estate consumption render these prior art approaches 
less than desirable. 

Thus, a more efficient approach to deciphering, in particular, deciphering 
round key generation is desired. 

15 

SUMMARY OF THE INVENTION 

An apparatus is equipped with a deciphering round key generator to 
successively generate in real time at least a first and a second deciphering round 

20 key based on a deciphering key, and a deciphering unit coupled to the deciphering 
round key generator to successively employ the real time successively generated 
deciphering round keys to incrementally decipher a ciphered text. The deciphering 
round key generator at least generates the second deciphering round key in real 
time while the deciphering unit deciphers the ciphered text employing the real time 

25 generated first deciphering round key. 

In one embodiment, the deciphering round key generator generates the 
second deciphering round key in real time by iteratively generating its data words 
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over a plurality of iterations. In one embodiment, the deciphering round key 
generator includes a first XOR function, and iteratively generates the data words of 
the second round key over a plurality of iterations by generating one data word each 
iteration, performing an XOR operation on a first and a second round key data word 
5 using the first XOR function. 

In one embodiment, the first round key data word employed in each iteration 
is a first predecessor round key data word of the first plurality of round key data 
words of one deciphering master key length preceding the round key data word to 
be generated, and the second round key data word employed is a conditionally 
10 transformed version of a second predecessor round key data word immediately 
following the first predecessor round key data word (in terms of their orders of re- 
generation). 

In one embodiment, the conditional transformation includes outputting the 
"immediately following" predecessor round key data word without further processing, 
15 or further processing it before outputting the "immediately following" predecessor 
round key data word as the transformed version. The further processing 
conditionally includes one or more of rotational shifting, inverse computation, 
substitution, or another XOR operation. 

In one embodiment, the apparatus includes multiple ones of the deciphering 
20 round key generators, and multiple ones of the deciphering units, to generate 
multiple series of deciphering round keys in corresponding pipelined manner for 
deciphering multiple network traffic flows at the same time. 

In one embodiment, the apparatus is disposed on a single integrated circuit. 

25. 

BRIEF DESCRIPTION OF DRAWINGS 
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The present invention will be described by way of exemplary embodiments, 
but not limitations, illustrated in the accompanying drawings in which like references 
denote similar elements, and in which: 

Figure 1 illustrates an overview of the present invention; 
5 Figure 2 illustrates the ciphering and deciphering units of Fig. 1 in further 

detail, in accordance with one embodiment; 

Figures 3a-3b illustrates the ciphering and deciphering round key generation 
units of Fig, 2 in further detail, in accordance with one embodiment; 

Figure 4 illustrates the transformation unit of Figs. 3a-3b in further detail, in 
10 accordance with one embodiment; 

Figure 5 illustrates an example data organization for the constant values of 
Fig. 4, in accordance with one embodiment; and 

Figure 6 illustrates an example routing device incorporated with the 
deciphering teaching of the present invention. 



DETAILED DESCRIPTION OF THE INVENTION 



20 In the following description, various aspects of the present invention will be 

described. However, it will be apparent to those skilled in the art that the present 
invention may be practiced with only some or all aspects of the present invention. 
For purposes of explanation, specific numbers, materials and configurations are set 
forth in order to provide a thorough understanding of the present invention. However, 

25 it will also be apparent to one skilled in the art that the present invention may be 
practiced without the specific details. In other instances, well known features are 
omitted or simplified in order not to obscure the present invention. Further, the 
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description repeatedly uses the phrase "in one embodiment", which ordinarily does 
not refer to the same embodiment, although it may. 

Overview 

5 Referring now to Figure 1 , wherein an overview of the present invention is 

illustrated. As shown, data sender 102 and data receiver 104 are coupled to each 
other via communication link 107, over which data sender 102 may send data, 
including data in ciphered form, to data receiver 104. Data sender 102 is equipped 
with cipher function 106. More importantly, data receiver 104 is equipped with 

10 decipher function 108 incorporated with the decipher teachings of the present 

invention. As will be described in more detail below, in accordance with the present 
invention, decipher function 108 incrementally deciphers a ciphered text received 
from data sender 102 employing a number of deciphering round keys 
advantageously generated in a pipelined manner on an as needed basis. The 

15 ciphered text is assumed to be generated by cipher 106 in an incremental manner, 
employing a number of ciphering round keys (which may also be generated in a 
pipelined manner). Cipher 106 includes in particular a transformation unit having a 
number of substitution boxes and complementary operational elements employed in 
the iterative generation of the ciphering round keys. A number of substitution values 

20 are stored in the substitution boxes. Decipher function 108 is accordingly equipped 
with a similar transformation unit having similar substitution boxes and related 
complementary operational elements. The substitution boxes also having similar or 
substantially the same substitution values, representing the same function, 
transforming the inverse of an input value, thereby enabling decipher function 108 to 

25 generate the deciphering round keys in the desired pipelined manner. As a result, 
the amount of delay before deciphering can start, as well as the amount of storage 
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required to hold the relevant deciphering round keys at any one point in time are 
advantageously reduced. 

Except for the decipher teachings of the present invention incorporated in 
decipher function 108 of data receiver 104, data sender 102, data receiver 104 and 
5 communication link 107 are all intended to represent a broad range of data sending, 
data receiving and communication systems and/or components known in the art. 
Accordingly, except for the deciphering teachings incorporated, these elements will 
not be otherwise further described. 

10 Cipher and Decipher Functions 

Figure 2 illustrates cipher function 106 and decipher function 108 of Figure 1 
in further details, in accordance with one embodiment. As illustrated, cipher function 
106 includes cipher round key generation unit 202 and encryption function 204 
coupled to each other as shown. Cipher round key generation unit 202 is employed 

15 to successively generates a number of ciphering round keys in real time in a 
pipelined and as needed manner, based off provided ciphering "master" key K. 
Encryption function 204 is employed to incrementally encrypt or cipher plain text M, 
using the generated ciphering round keys as they are successively made available. 
More specifically, ciphering round key generation unit 202 generates the next 

20 ciphering round key required by encryption unit 204, while encryption unit 204 is 
incrementally ciphering the plain text M or an partially ciphered text for another 
round using the previously generated ciphering round key. In other words, ciphering 
round key generation unit 202 generates the first ciphering round key based off the 
provided ciphering "master" key K, and provides the first generated ciphering round 

25 key to use to incrementally cipher plain text M. Thereafter, while encryption unit 204 
incrementally ciphers plain text M for one round, ciphering round key generation unit 
202 generates the next ciphering round key. Upon completion of the first ciphering 

She et al - Pipelined Deciphering 7 Express Mail Label No: 

Round Keys Generation EL605310337US _ 




Attorney Docket Ref: 51040.P005 

round, encryption unit 204 incrementally ciphers the partially ciphered text for 
another round, while ciphering round key generation unit 202 generates yet another 
next ciphering round key. The process continues until the required number of 
rounds have been performed, with ciphering round key generation unit 202 
5 generating the "last" ciphering round key, and thereafter, encryption function 204 
incrementally ciphers the partially ciphered text for one last round, producing the 
ciphered text C. 

Ciphering round key generator 202 includes in particular certain 
transformation means employed in the pipelined process of the present invention for 

10 pipelined generation of the ciphering round keys, conditionally transforming an input 
data word at each iteration (to be described more fully below). Encryption unit 204 
on the other hand is intended to represent a broad range of encryption elements 
known in the art. Accordingly, except for the manner encryption unit 204 cooperates 
with ciphering round key generator 202, encryption unit 204 will not be further 

15 described. 

Also as shown, decipher function 108 is similarly constituted. Decipher 
function 108 includes decipher round key generation unit 206 and decryption 
function 208 coupled to each other as shown. Decipher round key generation unit 
206 is employed to successively generate a number of deciphering round keys in 

20 real time in a pipelined and as needed manner, based off provided deciphering 
"master" key K' (which is the bottom N k words of the data words of the ciphering 
round keys employed to generate ciphered text). Decryption function 208 is 
employed to incrementally decrypt or decipher ciphered text C, using the generated 
deciphering round keys as they are successively made available. More specifically, 

25 deciphering round key generation unit 206 generates the next deciphering round 
key required by decryption unit 208, while decryption unit 208 is incrementally 
deciphering the ciphered text C or a partially deciphered text for another round using 
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the previously generated deciphering round key. In other words, deciphering round 
key generation unit 206 generates the first deciphering round key based off the 
provided deciphering "master" key K\ and provides the first generated deciphering 
round key to use to incrementally decipher ciphered text C. Thereafter, while 
5 decryption unit 208 incrementally deciphers ciphered text C for one round, 

deciphering round key generation unit 206 generates the next deciphering round 
key. Upon completion of the first deciphering round, decryption unit 208 
incrementally deciphers the partially deciphered text for another round, while 
deciphering round key generation unit 206 generates yet another next deciphering 

10 round key. The process continues until the required number of rounds have been 
performed, with deciphering round key generation unit 206 generating the "last" 
deciphering round key (i.e. the first ciphering round key), and thereafter, decryption 
function 208 incrementally deciphers the partially deciphered text for one last round, 
reproducing the original plain text M. 

15 Deciphering round key generator 206 includes in particular the same (or 

functionally equivalent) transformation means employed by ciphering round key 
generator 202 to generate the ciphering round keys. In like manner, deciphering 
round key generator 206 employs the transformation means in the pipelined process 
of the present invention for generating the deciphering round keys in a pipelined 

20 manner, transforming an input data word at each iteration (also to be described 

more fully below). Decryption unit 208 is also intended to represent a broad range 
of decryption elements known in the art. Accordingly, except for the manner 
decryption unit 208 cooperates with deciphering round key generator 206, 
decryption unit 208 will not be further described either. 
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Ciphering and Deciphering Round Key Generators 
Figures 3a-3b illustrate one embodiment each of ciphering round key 
generator 202 and deciphering round key generator 206 of Figure 2 in further 
details, in accordance with one embodiment. As illustrated in Fig. 3a, for the 
5 embodiment, the ciphering "master" key is N k data words in length (W 0 through W Nk , 
302a, whereas each of the generated ciphering round keys is assumed to be N b 
data words in length (where N b may be less than, equal to, or greater than N k 
depending on the chosen plaintext block length and master key length). Further, 
each of the data word W, is q bits wide, e.g. 32 bits. 

10 The ciphering master key K provides the top N k words. Thus, if N b = N k , the 

first ciphering round key is the ciphering master key K; and generation of the rest of 
ciphering round keys starts with the first data word of the second ciphering round 
key. If N b > N k) the first N k data words of the first ciphering round key is provided by 
the ciphering master key K; and generation of the rest of ciphering round keys starts 

15 with the N k+1 data word of the first ciphering round key. If N b < N k , the first ciphering 
round key is provided by the first N b data words of the ciphering master key K; 
generation of the rest of ciphering round keys starts with the N Nk Nb+1 data word of the 
second ciphering round key (assuming 2N b < N k , otherwise, the second ciphering 
round key is provided by the N b+1 to N 2b data words of the ciphering master key K, 

20 and so forth). 

Thus, upon "consuming" the ciphering master key K, ciphering round key 
generation unit 202 in general, generates each of the subsequent ciphering round 
key by iteratively generating its N b data words over N b iterations (except for the 
"partial" situations described earlier). That is, the N b data words of the n th ciphering 

25 round key are generated by iteratively generating data words W (n . 1)Nb through W nNb _ 1 
over N b iterations. 
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As illustrated, for the embodiment, ciphering round key generation unit 202 
includes conditional transformation unit 303a, and XOR function 304a, coupled to 
each other as shown. Conditional transformation unit 303a is employed to 
conditionally transform the last generated round key data word (W h1 ), for each of the 
5 round key data word generation iterations of the ciphering round key generation 
process for generating a ciphering round key. XOR function 304a is employed to 
generate the next round key data word (Wj) for each of the round key data word 
generation iterations of the ciphering round key generation process for generating a 
ciphering round key. XOR function 304a generates each next round key data word 

10 (WJ by performing an XOR operation on the conditionally transformed last 

generated round key data word (W M ) and a predecessor round key data word of N k 
data words earlier (Wj_ Nk ), i.e. a predecessor round key data word with a predecessor 
distance of the length of the ciphering "master" key. 

Thus, for an embodiment with (R+1 ) ciphering round keys, with each 

15 ciphering round key being N b words long, a total of N b (R+1 )-N k iterations are 
performed to successively generate the (R+1) ciphering round keys. 

Similarly, for deciphering round key generation unit 206, as illustrated in Fig. 
3b, for the embodiment, the deciphering "master'' key K is N k data words long 
(W Nb(R+1) . Nk through W^,.!) 302b, whereas each of the generated deciphering 

20 round keys is N b data words in length. Further, each of the data word Wj is also q 
bits wide, e.g. 32 bits. The first N k data words of the deciphering round keys are 
provided by the deciphering "master" key K. Again, depending on whether N b is 
equal to, greater than or less than N k , generation of the data words of the 
deciphering round keys starts with the first data word of the second deciphering 

25 round key, the N k+1 data word of the first deciphering round key, or the N nk . nb+1 data 
word of the second ciphering round key (again assuming 2N b < N k ). In general, 
upon "consuming" the data words of the deciphering master key, deciphering round 
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key generation unit 206 in general generates each of the subsequent deciphering 
round keys by iteratively generating its N b data words over N b iterations (except for 
the "partial" situations described). 

As illustrated, for the embodiment, deciphering round key generation unit 206 
5 includes conditional transformation unit 303b, and XOR function 304b, coupled to 
each other as shown. Conditional transformation unit 303b is similarly employed to 
conditionally transform a predecessor round key data word of N k data words earlier 
(the length of the ciphering "master" key) (W^^), for each of the round key data 
word generation iterations of the deciphering round key generation process for 

10 generating a deciphering round key. XOR function 304b is employed to generate 
the next round key data word (Wj) for each of the round key data word generation 
iterations of the deciphering round key generation process for generating a 
deciphering round key. XOR function 304b generates each next round key data 
word (W,) by performing an XOR operation on (the conditionally transformed 

15 predecessor round key data word) and W l+Nk (the round key data word that 

'immediately follows'). The phrase "immediately following" refers to the order of the 
round key data words are generated, also referred to as a "bottom to top" order of 
generation (see Fig. 3b). 

Thus, for an embodiment with (R+1) deciphering round keys, with each 

20 ciphering round key being N b words long, a total of N b (R+1)-N k iterations are 
performed to successively generate the (R+1) deciphering round keys. 

Thus, it can be seen from the above description, deciphering may start as 
soon as the first deciphering round key is generated. Further, the amount of storage 
requirement needed for holding the relevant deciphering round key data words may 

25 be as little as the greater of N K + 1 or N b + 1 data words (depending on whether N k 
or N b is greater. 
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Transformation Unit 
Figure 4 illustrates transformation unit 303a/303b of ciphering/deciphering 
round key generator 202/206 of Figure 3 in further detail, in accordance with one 
embodiment. As described earlier, transformation unit 303a/303b conditionally 
5 transforms an input data word to be employed in the generation of the next round 
key data word of a ciphering/deciphering round key. As illustrated, transformation 
unit 303a/303b includes conditional passthru circuitry 306a and 306b, inverse 
lookup table 308a and 308b, substitution boxes 309a and 309b, rotational shift 
register 307, XOR function 310, and selector 312, coupled to each other as shown. 

10 Conditional passthru circuitry 306a-306b conditionally routes an input data 

word (W M in the case of ciphering, and in the case of deciphering) to one of 

three transformation paths, to be transformed zero or more times, depending on at 
least the multiplicity between the iteration index i and the deciphering master key 
length (N k ), to be described in more detail below. 

15 Rotational shift register 307 is part of the transformation path that transforms 

the input data word multiple times. Specifically, it is employed on the "yes" path of 
passthru circuitry 306a to rotate the input data word in a predetermined direction for 
a predetermined number of bits. For the illustrated embodiment, the predetermined 
direction is rotation to the "left" (towards the MSB) and the predetermined number of 

20 bits is 8. In alternate embodiments, other quantities of rotation as well as rotation to 
the right (towards the LSB) may be practiced instead 

For the illustrated embodiment, the inverse lookup circuitry and substitution 
box pairs 308a and 309a, and 308b and 309b, are disposed on two transform paths 
providing one and multiple transformations to the input data word (on a byte basis) 

25 respectively. Each inverse lookup circuitry 308a/308b looks up the inverse of a byte 
of the input data word. In one embodiment, the inverse values are pre-computed 
e.g. by computing the multiplicative inverse of GF(2 8 ) modulo the binary polynomial 
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of 0x1 1B (where OxOO(zero) is defined as its own inverse). In alternate 
embodiments, the inverse values may be computed in real time. Each substitution 
box 309a/309b is an 8x8 substitution box containing a number of predetermined 
substitution values to be applied to each byte of an input data word. The manner in 
5 which the substitution values may be determined is described in more detail below. 

When routed along the "yes" path of passthru circuitry 306a, the input data 
word, upon rotation (using rotational shift unit 307), is transformed using the inverse 
lookup and substitution box pair 308a and 309a. As alluded to earlier, the 
transformation is applied on a byte by byte basis. That is, the transformation is 

10 applied to each byte independently. The twice transformed input data word is 

further transformed by XOR function 310, performing an XOR operation on the twice 
transformed input data word and a computational constant. The computational 
constant is looked up from a look up table (not shown) having values (z H , 00, 00, 
00), where j is the look up index, and equals to the floor value of dividing the 

15 iteration index i by N k . Thereafter, the thrice transformed data word is provided to 
selector 312 for selection, which selects the thrice transformed data word if the 
transformations provided by the "yes" path of passthru circuitry 306a is to be 
applied. 

When routed along the "yes" path of passthru circuitry 306b (and "no" path of 
20 passthru circuitry 306a), the input data word is transformed using the inverse lookup 
and substitution box pair 308b and 309b (on a byte by byte basis as earlier 
described). The transformed input data word is provided to selector 312 for 
selection, which selects the particular transformed data word if the transformation 
provided by the "yes" path of passthru circuitry 306b (and "no" path of passthru 
25 circuitry 306a) is to be applied. 

When routed along the "no" path of passthru circuitry 306b (and "no" path of 
passthru circuitry 306a), the input data word is provided to selector 312 for selection 
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(without transformation), which selects the particular untransformed data word if no 
transformation handling provided by the "no" path of passthru circuitry 306b (and no 
path of passthru circuitry 306a) is to be followed. 

Each of these elements, conditional passthru circuitry 306a-306b, rotational 
5 shift register 307, inverse lookup circuitries 308a-308b, substitution boxes 309a- 
309b, XOR function 310, and selector 312 may be formed using any individual or 
combinations of combinatorial logic and/or storage elements known in the art. 
Further, other manners of transformation, in particular, non-byte basis 
transformation may be employed instead. 

10 For the illustrated embodiment, the no transformation handling provided by 

the "no" paths of passthru circuitry 306a-306b is followed if the iteration index i is not 
a multiple of N k or N k is not greater than 6 or if N k is greater than 6 but the value of 
iteration index i minus 4 is not a multiple of N k ,. If the iteration index i is a multiple of 
N k , the transformations provided by the "yes" paths of passthru circuitry 306a are 

15 applied. On the other hand, if the iteration index i is not a multiple of N k but N k 

isgreaterthan 6, and the value of the iteration index i minus 4 is a multiple of N k , the 
transformation provided by the "yes" path of passthru circuitry 306b (and "no" path 
of passthru circuitry 306b) is applied. 

20 Substitution Values Computation and Example Data Structure 

As alluded to earlier, for the illustrated embodiment, each substitution box is 8x8 in 
size to be applied to each bye of a data word. In one embodiment, the substitution 

byte values of the substitution box may be determined as follows. Let x^ x 7 and 

yoW^y? represent the corresponding 8 bits of the x input and y output values of the 

25 8x8 embodiment. That is, the x input values are the selected byte outputs of the 
"inverse" lookup circuitry 308a/308b based on the input data word. Then x and y 
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can be said to have affine relation of y = Ax +b, where operations are computed 
mod 2, and where A and b are given by 



"loooiin" 




V 


11000111 




i 


11100011 




0 


11110001 




0 




b= 




11111000 




0 


01111100 




1 


00111110 




1 


00011111 




0 



Figure 5 illustrates a look up table suitable for use to implement the look up 
5 tables for storing the Rconst values of Figures 3a-3b. As illustrated, the desired 
iteration index dependent computational values, for efficient of operation, may be 
pre-computed and stored into example lookup table 500 comprising at least two 
columns 502 and 504. Column 502 is employed to store the computed input value, 
which as described earlier is equal to the floor value of dividing the iteration index i 
10 by N k (the number of data words in the ciphering "master" key). Column 504 is 
employed to store the output values (z H , 00, 00, 00). z j1 is an element of GF(2 8 ). 

In one alternate embodiment (where transformation is performed on a byte by 
byte basis), z is set to 2, and Rconst is dynamically generated instead. The left 
most byte of Rconst is generated by left shifting the constant 1 (the other bytes of 
15 Rconst are zero). That is, the left most byte of the jth constant is given by (1 « j), 
where the symbols "«" stand for left shifting, and (1 « j) means left shift by j bits. 
(Accordingly, in this alternate embodiment, the lookup table illustrated in Fig. 5 is 
not needed.) 
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Example Application 
Figure 6 illustrates an example application of the present invention. As 
illustrated, data routing device 602 comprising receive interface 604 and transmit 
interface 612 is advantageously provided with a number of decryption functions 606 
5 and a number of encryption functions 610. Additionally, data routing device 602 
may also include a number other function units 608. Decryption functions 606 and 
encryption functions 610 are provided to perform decryption and encryption for a 
number of network traffic flows, one each for a network traffic flow. More 
importantly, decryption functions 606 and encryption functions 610 are incorporated 

10 with the teachings of the present invention, enabling them to advantageously 
generate the deciphering/ciphering round keys in a pipelined and as needed 
manner. The deciphering master keys (K') of the different decryption functions 606 
for the different network traffic flows may be the same, or different, or some are the 
same, while others are different. Likewise, the ciphering master keys (K) of the 

15 different encryption functions 610 for the different network traffic flows may be the 
same, or different, or some are the same, while others are different. 

Typically, the K's and Ks are provided to data routing device 602 e.g. by a 
network administrator. Alternatively, the K's may be exchanged between data 
routing device 602 and another party who wants to engage in secured 

20 communication with data routing device 602. The provision may e.g. be made over 
secured channels (not shown). Of course, the K's are pre-generated from their 
corresponding Ks. 

As described earlier, each of decryption functions 606 and encryption 
functions 610 may start decryption and encryption of the corresponding network 

25 traffic flow as soon as the first deciphering or ciphering round key is available (with 
or without having to be at least partially generated, as the case may be depending 
on the relative size of N b and N k as described earlier). Further, the amount of 
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storage requirement for provisioning data routing device 602 to be able to handle 
the decryption and encryption of multiple network traffic flows at the same time is 
substantially reduced under the present invention. As a result of the storage 
requirement savings, data routing device 602 may be advantageously disposed on a 
5 single integrated circuit. Thus, together with the "fast start", data routing device 602 
is able to handle high speed line rate data decryption and encryption for multiple 
data flows at the same time. In one embodiment, data routing device 602 is an IC 
component for routing packets transmitted over an optical medium onto an electrical 
medium at very high speed. 
10 The advantages of data routing device 602 is most evident when the K's can 

be reused multiple times, such as in bulk encryption applications (e.g. SSH tools 
such as ssh and scp, or Secure Sockets Layer (SSL) services for secure web 
browser sessions) where many blocks of data need to be encrypted using the same 
key, sent securely, then decrypted. 

15 

Conclusion and Epilogue 
Thus, it can be seen from the above descriptions, a novel method and 
apparatus for deciphering ciphered text, in particular, having the required deciphering 
round keys generated in a pipelined manner on an as needed basis, has been 

20 described. While the present invention has been described in terms of the above 

described embodiments, those skilled in the art will recognize that the invention is not 
limited to the embodiments described. The present invention can be practiced with 
modification and alteration within the spirit and scope of the appended claims. Thus, 
the description is to be regarded as illustrative instead of restrictive on the present 

25 invention. 
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